openAI | Projects | multiple API key handling

With OpenAI’s project functionality, it’s possible to assign API keys to different users. When using this feature in conjunction with the API connector, it becomes necessary to make the authorization a variable for certain API calls.

While these API keys can be securely stored in the database under appropriate privacy rules, the question arises whether passing these keys as input variables within a workflow is secure enough.

Ideally, I would prefer to mark the key as private; however, this prevents me from adding it to the workflow. This raises a concern that the API key might be exposed client-side—am I misunderstanding the situation?

Is there a way to prevent the API key from being exposed client-side, or am I misinterpreting the scenario?

Additionally, if I ensure that all API calls are handled on the back-end, does that guarantee that the API key would never be exposed client-side?

Scherm­afbeelding 2024-08-09 om 14.25.24861×294 19.4 KB

Thanks!

Whatever you send in a client-side workflow is accessible to users. Which means, the API key would.
The solution for this that I can think of, is to add this call in a backend workflow and dynamically specify the API key from there; and call this workflow using Bubble’s App or API connector.

If you store an API for a user, and this user provide the API key and only this user have access to this data (using privacy rules), this is not a problem to use the call because the API key belong to the user.

In other case, like @Zeroic, the only solution is to use backend WF.